package org.springframework.security.oauth2.server.authorization.web.authentication;

import jakarta.servlet.http.HttpServletRequest;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.config.Elements;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponseType;
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
import org.springframework.security.oauth2.core.endpoint.PkceParameterNames;
import org.springframework.security.oauth2.core.oidc.OidcScopes;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationException;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken;
import org.springframework.security.web.authentication.AuthenticationConverter;
import org.springframework.security.web.util.matcher.AndRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.MultiValueMap;
import org.springframework.util.StringUtils;
import org.springframework.web.servlet.support.WebContentGenerator;

/* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-authorization-server-1.0.2.jar:org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationCodeRequestAuthenticationConverter.class */
public final class OAuth2AuthorizationCodeRequestAuthenticationConverter implements AuthenticationConverter {
    private static final String DEFAULT_ERROR_URI = "https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1";
    private static final String PKCE_ERROR_URI = "https://datatracker.ietf.org/doc/html/rfc7636#section-4.4.1";
    private static final Authentication ANONYMOUS_AUTHENTICATION = new AnonymousAuthenticationToken(Elements.ANONYMOUS, "anonymousUser", AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
    private static final RequestMatcher OIDC_REQUEST_MATCHER = createOidcRequestMatcher();

    @Override // org.springframework.security.web.authentication.AuthenticationConverter
    public Authentication convert(HttpServletRequest httpServletRequest) {
        if (!"GET".equals(httpServletRequest.getMethod()) && !OIDC_REQUEST_MATCHER.matches(httpServletRequest)) {
            return null;
        }
        MultiValueMap<String, String> parameters = OAuth2EndpointUtils.getParameters(httpServletRequest);
        String parameter = httpServletRequest.getParameter(OAuth2ParameterNames.RESPONSE_TYPE);
        if (!StringUtils.hasText(parameter) || ((List) parameters.get(OAuth2ParameterNames.RESPONSE_TYPE)).size() != 1) {
            throwError("invalid_request", OAuth2ParameterNames.RESPONSE_TYPE);
        } else if (!parameter.equals(OAuth2AuthorizationResponseType.CODE.getValue())) {
            throwError(OAuth2ErrorCodes.UNSUPPORTED_RESPONSE_TYPE, OAuth2ParameterNames.RESPONSE_TYPE);
        }
        String stringBuffer = httpServletRequest.getRequestURL().toString();
        String first = parameters.getFirst("client_id");
        if (!StringUtils.hasText(first) || ((List) parameters.get("client_id")).size() != 1) {
            throwError("invalid_request", "client_id");
        }
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null) {
            authentication = ANONYMOUS_AUTHENTICATION;
        }
        String first2 = parameters.getFirst(OAuth2ParameterNames.REDIRECT_URI);
        if (StringUtils.hasText(first2) && ((List) parameters.get(OAuth2ParameterNames.REDIRECT_URI)).size() != 1) {
            throwError("invalid_request", OAuth2ParameterNames.REDIRECT_URI);
        }
        HashSet hashSet = null;
        String first3 = parameters.getFirst("scope");
        if (StringUtils.hasText(first3) && ((List) parameters.get("scope")).size() != 1) {
            throwError("invalid_request", "scope");
        }
        if (StringUtils.hasText(first3)) {
            hashSet = new HashSet(Arrays.asList(StringUtils.delimitedListToStringArray(first3, " ")));
        }
        String first4 = parameters.getFirst(OAuth2ParameterNames.STATE);
        if (StringUtils.hasText(first4) && ((List) parameters.get(OAuth2ParameterNames.STATE)).size() != 1) {
            throwError("invalid_request", OAuth2ParameterNames.STATE);
        }
        if (StringUtils.hasText(parameters.getFirst(PkceParameterNames.CODE_CHALLENGE)) && ((List) parameters.get(PkceParameterNames.CODE_CHALLENGE)).size() != 1) {
            throwError("invalid_request", PkceParameterNames.CODE_CHALLENGE, PKCE_ERROR_URI);
        }
        if (StringUtils.hasText(parameters.getFirst(PkceParameterNames.CODE_CHALLENGE_METHOD)) && ((List) parameters.get(PkceParameterNames.CODE_CHALLENGE_METHOD)).size() != 1) {
            throwError("invalid_request", PkceParameterNames.CODE_CHALLENGE_METHOD, PKCE_ERROR_URI);
        }
        HashMap hashMap = new HashMap();
        parameters.forEach((str, list) -> {
            if (str.equals(OAuth2ParameterNames.RESPONSE_TYPE) || str.equals("client_id") || str.equals(OAuth2ParameterNames.REDIRECT_URI) || str.equals("scope") || str.equals(OAuth2ParameterNames.STATE)) {
                return;
            }
            hashMap.put(str, list.get(0));
        });
        return new OAuth2AuthorizationCodeRequestAuthenticationToken(stringBuffer, first, authentication, first2, first4, hashSet, hashMap);
    }

    private static RequestMatcher createOidcRequestMatcher() {
        return new AndRequestMatcher(httpServletRequest -> {
            return WebContentGenerator.METHOD_POST.equals(httpServletRequest.getMethod());
        }, httpServletRequest2 -> {
            return httpServletRequest2.getParameter(OAuth2ParameterNames.RESPONSE_TYPE) != null;
        }, httpServletRequest3 -> {
            String parameter = httpServletRequest3.getParameter("scope");
            return StringUtils.hasText(parameter) && parameter.contains(OidcScopes.OPENID);
        });
    }

    private static void throwError(String str, String str2) {
        throwError(str, str2, DEFAULT_ERROR_URI);
    }

    private static void throwError(String str, String str2, String str3) {
        throw new OAuth2AuthorizationCodeRequestAuthenticationException(new OAuth2Error(str, "OAuth 2.0 Parameter: " + str2, str3), null);
    }
}
